Does MAP_FIXED inhibit execmem denial?

[Stephen Smalley]

On Thu, 2006-04-20 at 11:16 -0700, John Reiser wrote:
> Stephen Smalley wrote:
> 
> >>However, under all released FC5 kernels including 2.6.16-1.2096_FC5,
> >>I see no execmem complaints.  Strace of typical execution begins:
> > 
> > 
> > Hmmm...shouldn't.  
> > 
> > # /usr/sbin/getsebool allow_execmem
> > (If on, /usr/sbin/setsebool allow_execmem=0, or run your test under a
> > confined domain.)
> > # cat /selinux/checkreqprot
> > # execstack -q /path/to/program
> 
> Thank you for diagnosing.  allow_execmem is "on" under the installed
> selinux-policy-targeted-2.2.29-3.fc5.  [There have been no changes
> to booleans after default install of FC5 except via "yum upgrade".]

Yes, execmem is allowed by default to the unconfined_t domain, so you
have to consciously choose to disable it.  Otherwise, the system would
be broken out of the box for a lot of users.

setsebool -P to make that permanent (preserved across reboots).  But
note it will break some programs.

> 
> Transcript:
> -----
> # /usr/sbin/getsebool allow_execmem
> allow_execmem --> on
> # /usr/sbin/setsebool allow_execmem=0
> # cat /selinux/checkreqprot   ## Note the output '1' on the next line.
> 1# execstack -q ./date.OK
> execstack: "./date.OK" has no section headers
>    ## The info would be in a PT_GNU_STACK Elf32_Phdr "segment header",
>    ## not in any Elf32_Shdr.
>    ## But anyway, there is no PT_GNU_STACK in ./date.OK, either.
> 
> # strace ./date.OK
> execve("./date.OK", ["./date.OK"], [/* 22 vars */]) = 0
> old_mmap(0xc06000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, \
>      -1, 0xc06000) = -1 EACCES (Permission denied)  ## Now I understand.
> # rpm -qa | grep selinux
> libselinux-devel-1.30-1.fc5
> selinux-policy-2.2.29-3.fc5
> selinux-policy-targeted-2.2.29-3.fc5
> libselinux-1.30-1.fc5
> libselinux-python-1.30-1.fc5
> #
> -----
> 
-- 
Stephen Smalley
National Security Agency